Professional Documents
Culture Documents
ii
Dedication
Dedicated To
My Beloved, Dearest and Loving
Mother, Father, Sister, Brothers, Teachers
And All My Family Members
Who motivated, supported & encouraged me in every part
of life
And whatever I am today, it is just because of them
And to all my sweet cousins.
iii
Table of Contents
Characterization of Nuclear Facilities Identification of Vital Areas in Different Type of Nuclear Facilities
....................................................................................................................... Error! Bookmark not defined.
List of Figure ................................................................................................................................................. iii
List of Tables ................................................................................................................................................ iv
Abstract ......................................................................................................................................................... v
1
Introduction .......................................................................................................................................... 1
Background ................................................................................................................................... 1
OBJECTIVE. .................................................................................................................................... 2
SCOPE ............................................................................................................................................ 3
STRUCTURE ................................................................................................................................... 3
Facility Characterization........................................................................................................................ 4
Facility Characterization Areas of Investigation............................................................................ 4
Physical Conditions ............................................................................................................... 4
Facility Operations ................................................................................................................ 4
Facility Policies and Procedures ............................................................................................ 5
Regulatory Requirements ..................................................................................................... 6
Safety Considerations ........................................................................................................... 6
Legal Issues............................................................................................................................ 7
ii
PROTECTING INFORMATION........................................................................................................... 19
References .......................................................................................................................................... 21
iii
List of Figure
Figure 1.1 VAI PROCESS ................................................................................. Error! Bookmark not defined.
Figure 3.1 Sabotage Fault Tree ...................................................................... Error! Bookmark not defined.
iv
List of Tables
Table 1............................................................................................................ Error! Bookmark not defined.
Table 2 Common Logic Model Representations ............................................ Error! Bookmark not defined.
Abstract
The possibility that nuclear or other radioactive material could be used for malicious purposes
cannot be ruled out in the current global situation. States have responded to this risk by engaging
in a collective commitment to strengthen the protection and control of such material and to
effectively respond to nuclear security events. The first step is characterize the facility to be
protected against malicious acts. Before any decisions can be made concerning the level of
protection needed, an understanding of what is being protected and the surrounding environment
is essential. Too often this crucial step is overlooked and security systems are designed that either
overprotect a nonessential component or fail to adequately protect a vital portion of the facility.
When characterizing a facility, information about as many different aspects of the facility as
possible must be obtained and reviewed. This report also presents a structured approach to
identifying the areas that contain equipment, systems, and devices to be protected against sabotage.
The method builds upon safety analyses to develop sabotage logic models for sabotage scenarios
that could cause unacceptable radiological consequences. The sabotage actions represented in the
logic models are linked to the areas from which they can be accomplished. The logic models are
then analyzed to determine areas that must be protected to prevent these unacceptable radiological
consequences.
1 Introduction
The possibility that nuclear or other radioactive material could be used for malicious purposes
cannot be ruled out in the current global situation. States have responded to this risk by engaging
in a collective commitment to strengthen the protection and control of such material and to
effectively respond to nuclear security events. States have agreed to strengthen existing and
established new international legal instruments to enhance nuclear security around the world.
Nuclear security is fundamental in the management of nuclear technologies and in applications
where nuclear or other radioactive material is used or transported.
Each State carries the full responsibility for nuclear security, i.e. to provide for the security
of nuclear and other radioactive material and associated facilities and activities; to ensure the
security of such material in use, storage or in transport; and to combat illicit trafficking and the
inadvertent movement of such material. It should also be prepared to respond to a nuclear security
event. The IAEA recommendations for the protection of nuclear installations against sabotage are
contained in Nuclear Security Recommendations on [1]. After the attacks of 11 September 2001,
the perception of the potential terrorist threat to nuclear installations changed significantly, and the
IAEA initiated an effort to develop a series of guidance publications on the security of nuclear and
radioactive material and facilities.
This report presents a structured approach to identifying the areas that contain equipment,
systems, and components to be protected against sabotage. It specifically provides detailed
guidance with regard to the identification of vital areas, that is, the areas to be protected in high
consequence facilities [2].
Background
The first step in the Design and Analysis Process Outline (DEPO) is to Define the PPS
Requirements. is to characterize the facility; and that is to clearly understand what to protect.
Initially the analyst must identify the areas of investigation for this facility characterization
process, and then proceed to collect the information from these areas [2]. After acquiring complete
information about the facility, then there comes the process of vital area identification (VAI).
Identification of vital areas is an important step in the process of protecting against sabotage.
Vital area identification is the process of identifying the areas in a nuclear facility around which
protection will be provided in order to prevent or reduce the likelihood of sabotage. [1]
henceforth referred to as indicates that nuclear material in an amount which if dispersed could
lead to high radiological consequences (HRCs) and a minimum set of equipment, systems, or
devices needed to prevent HRCs, should be located within one or more vital areas, and be located
inside protected area1. All measures that have been designed into the facility for safety purposes
should be taken into account when identifying vital areas.
OBJECTIVE.
The one of the objective of this report is to clearly understand the process of characterization
of the Nuclear Facility. Major areas of investigation for facility characterization include the
complete information about the facility location, physical conditions, operations, safety
procedures, regulatory requirements etc. On the basis of which we must initiate the vital area
identification process. The second objective of this report is to describe a VIA process that can be
used to (i) identify all candidate sets of vital areas at a nuclear facility and (ii) select a specific set
of vital areas that will be protected. The process for selection of a specific set of vital areas to be
protected is based on consideration of the potential radiological consequences of sabotage, and the
operational, safety, and physical protection objectives for the facility.
High radiological consequences, as referred to in Ref. [1], indicate relatively severe radiological consequences
resulting from large nuclear facilities such as nuclear power plants. The level of protection for vital areas specified in
Ref. [1] is similar to that required to prevent the theft of Category 1 nuclear material. In the context of a graded
approach, the areas that require protection for inventories in lower consequence categories (above unacceptable
radiological consequences but below high radiological consequences) can be identified using the process described in
this publication, although these areas may require lower levels of protection than required for vital areas.
SCOPE
This report focuses on the processes of facility characterization and VAI at nuclear facilities.
These processes can be used to identify the vital areas at existing facilities, and to evaluate the
effect that design changes to existing facilities and design and layout features of new facilities may
have on vital area selection.
STRUCTURE
Section 1 provides the background, objectives, and scope of this report. Section 2 discusses
the processes used to characterize a nuclear facility. Section 3 discusses the process used to identify
vital areas, and the expected results of the process. Also, it outlines policy considerations that must
be addressed by the competent authority (State regulatory body) and actions by the operator prior
to the start of VAI, and describes the step-by-step process leading to the selection of a minimum
set of areas in a nuclear facility that should be protected as vital areas. Section 4 provides guidance
for documenting the results of VAI .The Appendix provides an example of how logic models can
be solved to identify candidate vital area sets.
2 Facility Characterization
The first step in designing a new PPS, or upgrading an existing system, is to characterize the
facility to be protected [2].
Physical Conditions
Perhaps the easiest area to characterize is the physical conditions. Physical conditions
characterization includes identifying the site boundary, the number and locations of buildings in
the complex, room locations within buildings, access points, existing physical protection features,
and all infrastructure details. This information is normally available in blueprints and drawings of
the facility. Physical infrastructure that should be reviewed includes heating, ventilation and air
conditioning systems, communication paths and type (fiber optic, telephone, computer networks,
etc.), construction materials of walls and ceilings, power distribution system, locations of any
hazardous materials, and exterior areas. Physical aspects of a site also include an understanding of
the vegetation, wildlife, background noise (such as airports, rail yards, major highways or
electromagnetic interference), climate and weather, and soil and pavement. This information can
be used to predict adversary paths into a facility, establish target locations, and identify potential
sources of nuisance alarms for protection equipment [2].
Facility Operations
Another major area for investigation is facility operations. This will include such things as
major products of the facility, processes that support these products, operating conditions (working
hours, off-hours, emergency operations), and the types and numbers of employees. A large part of
this stage of data collection is the review of the procedures that are used to accomplish the mission
of the facility.
1. Operational Review of Facility
Operational review of the facility should also include an evaluation of the supporting functions
available at the site. This includes procurement procedures, computing resources and distribution,
maintenance activities, operational involvement and location of senior executives, workflow, shift
changes, employee benefits, shipping and receiving, accounting functions, and any other
supporting functions.
2. Additional Operational Details to Survey
Operational details can reveal important transition periods at a facility. For example, at a shift
change many employees can be entering and exiting the facility. This can be an important input
into the design of any access controls for the facility or parking areas. Knowledge of the workloads
and schedule at the shipping and receiving dock will help when designing an asset tracking system
or implementing controls over the movement of raw materials or product into and out of a facility.
This information will establish the operational needs to be accommodated by any security
upgrades. Vehicle activity into and out of a facility, as well as within the facility (if it is a large
industrial complex), will also provide a basis for security effectiveness evaluations and establish
operational constraints that must be considered as part of the security system design [2].
Regulatory Requirements
All facilities, no matter what their product or business, are responsible to some regulatory
authority. In addition, every facility must meet certain standards in their work practices. These
may be standards imposed by professional organizations, or they may be best practices within an
industry. All construction must meet a variety of state and local building codes. Regardless of the
formality of the regulation, it is important to understand the nature of all the regulations a facility
may be expected or required to meet. These requirements must be considered as a security system
is designed. Obviously, any security system that is implemented cannot put the company at risk of
violating any regulations. These regulations then become an important requirement for the design
and implementation of the security system.
Safety Considerations
Safety and security do not have the same goal, although they are complementary functions.
The safety function wants to give personnel free and rapid egress in case of an emergency and the
security function wants to control all egress even in an emergency. This is the classic conflict
between safety and security--safety people want evacuation as fast as possible and security people
want to be sure that no asset is stolen or left unprotected.
It should be clear that an important voice in the design of an effective security system will
be the facility or operational safety officer. Safety and security personnel must work together to
design systems that will be effective in normal (daily operations), abnormal (for example, a fire)
and malevolent conditions (an attack on the facility by a human adversary). Conflicts between
safety and security should be resolved by sound and integrated solutions [2].
Legal Issues
Perhaps the most visible and complex aspect of facility characterization is a thorough
review of the legal issues that should be considered when designing and implementing a security
system. Legal issues cover liability, privacy, access for the disabled, labor relations, employment
practices, proper training for guards, the failure to protect personnel, and excessive use of force by
guards, to list only a few. A good understanding of the criminal justice system will be a very useful
component in the design and implementation of a PPS. Each facility will need to make its own
assessment of which legal issues are concerns and what actions will be taken based on this
information. Some of the legal issues associated with physical protection are security liability,
failure to protect, overreaction, and even labor/employment issues.
Process Overview
The VAI process is depicted in Figure 1. The steps of VAI are as follows:
1) Gather information that is input to the VAI process.
a. Policy considerations. Address the key policy considerations essential to the VAI
process.
b. Site and facility characteristics. Determine the inventories of nuclear and
radioactive material. Evaluate the facility and site characteristics needed to
determine whether sabotage could lead to URCs.
c. Conservative analysis for each inventory. Determine whether the complete release
of any inventory could exceed the HRC criteria. Include direct dispersal of any such
inventory as an event in the sabotage logic model and continue with the process
described below.
2) Identify any initiating events of malicious origin (IEMOs) that can lead indirectly to HRCs.
3) Identify any IEMOs that exceed the capacity of mitigation systems. Include each such
IEMO as an event leading to HRCs in the sabotage logic model.
4) Identify systems to mitigate each IEMO. For each IEMO that does not exceed mitigating
system capacity, identify the safety functions necessary to mitigate the IEMO, the systems
that perform the safety functions, and the success criteria for the systems.
5) Develop a sabotage logic model. Develop model that identifies the combinations of events
(direct dispersal, IEMOs that exceed mitigating system capacity, and IEMOs coupled with
mitigating system disablement) that would lead to HRCs.
6) Eliminate from the sabotage logic model any events that the assumed threat does not have
the capability to perform.
7) Identify the locations (areas) in which direct dispersal, IEMOs, and the other events in the
sabotage logic model can be accomplished. Replace the events in the sabotage logic model
with their corresponding areas.
8) Solve the sabotage area logic model to identify the combinations of locations that must be
protected to ensure that HRCs cannot occur.
9) Select the vital area set that will be protected to prevent sabotage leading to HRCs.
Facility safety analyses can provide valuable information and models to support VAI. If a
deterministic safety assessment (DSA) or a probabilistic safety assessment (PSA) has been
completed for the facility, it will provide analyses of response of the facility to various initiating
events (IEs) that could be caused by random failure, human error, etc. These events could also be
caused by malicious acts. DSAs and PSAs provide extensive information on site and facility
characterization that will be useful to the VAI team.
Facility safety analyses can provide valuable information and models to support VAI. If a
deterministic safety assessment (DSA) or a probabilistic safety assessment (PSA) has been
completed for the facility, it will provide analyses of response of the facility to various initiating
events (IEs) that may be caused by random failure, human error, etc. These events could also be
caused by malicious acts [2].
10
11
Policy Considerations
Policy considerations to be addressed prior to initiation of the VAI process are:
1. The explicit definition of unacceptable radiological consequences (URCs) that will require
protection against sabotage;
2. The explicit definition of HRCs that will require designation and protection of vital areas;
3. The operational states for which vital areas should be identified and protected;
4. The safe facility state that should be achieved following a sabotage attack for each
operational state;
5. Whether equipment unavailability events, other than malicious disablement acts, should be
considered to occur concurrent with a sabotage attack;
6. Whether the analysis can take credit for accident management recovery actions following
a sabotage attack;
7. The threat against which the facility should be protected [2].
More detailed consideration will be given to each of these issues in the following sections.
I.
12
II.
Some facilities may have more than one operational state, such as normal operation, plant
shutdown, and reactor refueling for power reactors. These different operational states may rely on
different equipment to perform necessary safety functions and may require different physical
protection measures to protect the equipment and material. The competent authority should
identify or approve the operational states to be considered in the VAI process. The identification
of vital areas for all operational states can be accomplished by analyzing each operational state, or
by identifying a bounding operational state that will ensure protection during all states. Operational
states to be assessed should be determined considering the possibility of HRCs during each
operational state [2].
III.
There may be a number of facility states that, if achieved subsequent to an accident or transient,
are designed to maintain the facility in a safe state. In principle, all nuclear facilities must maintain
the fundamental safety functions [4] of:
a. Control of reactivity
b. cooling of radioactive material
c. Confinement of radioactive material.
For nuclear power reactors, the safety function of cooling of radioactive material is often
further itemized as reactor coolant pressure control, reactor coolant inventory control, and decay
heat removal. The defined facility safe state(s) may differ for analysis of different facility
operational states. The competent authority should identify or approve the safe facility state for
each facility operational state.
IV.
The VAI team should be careful to identify all implicit and explicit assumptions about
personnel actions included in the safety and other analyses used as input to the VAI. After these
actions have been identified, the team should determine whether credit can be taken for such
actions as part of the facility response to sabotage. During the course of the VAI, the team may
13
also identify possible recovery actions to compensate for disabled equipment. In this case too, the
VAI team should determine whether credit should be taken for the recovery actions as part of the
facility response to sabotage. The VAI team should document the rationale for crediting personnel
actions, including recovery actions.
V.
Threat characteristics
Physical protection of nuclear facilities should be based on the States current evaluation of
the threat. The competent authority should specify the threat characteristics against which the
operator should provide protection in a design basis threat or other threat evaluation. The threat
characteristics are used in the VAI process to determine the malicious acts the threat is capable of
performing [2].
may be needed to determine the potential consequences of radiological releases if the criteria for
URCs is directly related to off-site exposure rather than a surrogates, such as core damage or
containment failure.
ii.
characteristics, and quantities. I information on the nuclear facilitys critical safety functions (e.g.
shielding, criticality prevention, cooling, confinement, fire prevention, structural integrity); and
the process and safety system details in order to determine the equipment, systems, and devices
that must be protected in order to prevent HRCs.
The information needed for site and facility characterization should be available from the
facility safety case or other safety analysis documentation.
14
15
attacks against equipment, systems, structures, components, devices or operator actions that
normally maintain the facility in a safe state. If the potential radiological consequences of the
release of a complete inventory are equal to or greater than a HRC limit, the possibility of sabotage
that could lead indirectly to HRCs should be considered. To determine the areas that should be
protected to prevent acts that lead indirectly to HRCs, two types of sabotage attacks should be
considered, namely those:
1. Causing an IE that creates conditions more severe than the facility mitigating systems can
accommodate (that is, events that are beyond the safety design basis);
2. Causing an IE and disabling the systems needed to mitigate the effects of the IE.
An IE that is deliberately caused by an adversary in an attempt to cause a release from a facility is
called an IEMO [2].
16
3) The third category of IEMOs involves sources of radioactive material releases that may not
have been within the scope of safety documents.
17
18
Design documents for the nuclear facility provide the information needed to identify the
areas in which the sabotage events can be accomplished. General arrangement drawings should
provide area, room, walls and doors and access route information. Piping and instrumentation
diagrams, isometric drawings, safe shutdown analyses, and fire and seismic PSAs are other sources
of information on equipment locations.
Spatial Interactions
Additional consideration is required to address spatial interactions between adjacent areas.
There may be cases in which a malicious act in one area can disable equipment, components, or
devices in one or more adjacent areas.
combinations of areas to which an adversary would have to gain access in order to complete
sabotage scenarios that could lead to HRCs. Each such combination of areas is a minimal
cut set of the sabotage area logic model, and represents the full set of target areas an
adversary needs to penetrate in order to accomplish a sabotage scenario.
2. Identify protection sets: The sabotage area logic model is analyzed to determine the
minimum combinations of areas that should be protected in order to ensure that no sabotage
scenarios could be completed.
The process of solving the sabotage area logic model to identify candidate vital area sets is
illustrated in the Appendix.
19
4 Documentation of Results
The objective of the analysis documentation is to demonstrate that the VAI satisfies the
requirements specified by the competent authority. The documentation should be well structured,
concise and easy to review and update. Updates may be required to reflect changes in the assumed
adversary characteristics as well as modifications to the facility operation, safety systems and
measures, and the locations of facility equipment, systems, structures, components, devices and/or
operator actions. The documentation should explicitly present the assumptions made in the policy
considerations topics discussed in Section 3.2.1 and comply with quality assurance requirements
specified by the competent authority.
Protecting Information
The VAI process generates sensitive information that should be protected properly according to
information security requirements of the competent authority. The information security
requirements and procedures will depend upon the legal system in the State where the facility is
located. Everyone who has access to the information generated in the VAI process should be
required to understand and follow the information security requirements.
20
21
to select the set of vital areas that meets the requirement for protection against radiological
sabotage while minimizing impacts of physical protection measures on plant safety, costs, and
operations. Proper documentation of the process will provide the necessary information to
reconstruct the results of the analysis to support review, approval, and updating of the vital area
selection.
6 References
[1] INTERNATIONAL ATOMIC ENERGY AGENCY, "Identification of Vital Areas (IAEA Nuclear Security
Series No. 16)," IAEA, Vienna,Austria, 2012.
[2] INTERNATIONAL ATOMIC ENERGY AGENCY with PAKISTAN NUCLEAR REGULATORY AUTHORITY &
CHINA INSTITUTE OF ATOMIC ENERGY, National Training Course on Physical Protection of Nuclear
Material & Nuclear Facilities, Viena,Austria: IAEA with PNRA & CIAE, 2007.
[3] INTERNATIONAL ATOMIC ENERGY AGENCY, "The Physical Protection of Nuclear Material and
Nuclear Facilities (INFCIRC/225/Rev 5)," IAEA, Vienna,Austria, 2011.
[4] INTERNATIONAL ATOMIC ENERGY AGENCY, "IAEA Safety Glossary 2007 Edition," IAEA,
Vienna,Austria, 2007.
22
23
6. In order to cause the IEs and disable the various components a saboteur would have to gain
access to different plant areas, designated with L labels below Table 1.
Location
Disable C1
L1
Disable C2
L2
Disable C3
L2
Disable C4
L2
Disable C5
L3
Disable C6
L3
Disable C7
L5
Disable C8
L6
Disable C9
L6
Disable C10
L6
Cause IE1
L8
Cause IE2
L9
The statements above constitute one form of a logic model for sabotage of the facility. By
carefully analyzing these statements, we could determine the combinations of locations that a
saboteur would have to enter to cause all the IEs and component failures that would lead to URCs.
For example, if a saboteur could gain access to L2 and L8 he could initiate IE1 and disable S1,
resulting in a release that exceeds URC limits. The saboteur can cause IE1 if he gains access to
24
L8. If the saboteur disables both T1 and T2, S1 will not be able to mitigate IE1. T1 can be disabled
by disabling C2 and T2 can be disabled by disabling C3. Both C2 and C3 can be disabled from
L2, so by gaining access to both L2 and L8 the saboteur can cause URCs. By reviewing the
statements and location table in detail, all the combinations of locations from which IEs can occur
sufficient to cause URCs could be identified. As long as the facility is simple enough, it is possible
to derive the location combinations from which sabotage can be accomplished by inspection as
done in the previous paragraph. A more useful approach is to represent the relationships between
IEs, disablement events and locations in a logic equation. The event to be represented in this logic
equation is release in excess of URCs. Using the definitions in Table 2, the following equations
are developed corresponding to statements 1 through 5 above:
URC = IE1*S1 + IE2*S2
(1)
S1 = T1*T2
(2)
S2 = T3*T4 + T3*T5
(3)
T1 = C1 + C2
(4)
T2 = C3 + C4
(5)
T3 = C5 + C6
(6)
T4 = C7 + C8
(7)
T5 = C9 + C10
(8)
(9)
T2 = L2 + L2 = L2
(10)
T3 = L3 + L3 = L3
(11)
T4 = L5 + L6
(12)
T5 = L6 + L6 = L6
(13)
S1 = (L1 + L2)*L2 = L2
(14)
(15)
(16)
25
For this simple example, there are three combinations of locations from which a saboteur could
cause URCs:
URC = L8*L2 + L9* L3*L5 +L9*L3*L6
(17)
Each combination of locations from which sabotage can be caused is called a cut set of the
sabotage location equation. The objective of VAI is to find a minimum set of areas to be protected
against sabotage to prevent all possible scenarios leading to URCs. This means that we must
protect at least one of the areas in each combination of areas from which sabotage can be
accomplished. Each combination of locations whose protection will prevent all sabotage scenarios
is a prevention set for the logic model and constitutes a candidate vital area set. For simple sabotage
location equations it is possible to directly determine the combinations of locations whose
protection will prevent sabotage. From equation 17, it can be seen that if the adversary is prevented
from gaining access to the following combinations of areas, URCs cannot occur.
URC Prevented = L8*L9 + L8*L3 + L2*L9 + L2*L3 + L8*L5*L6 + L2*L5*L6
(18)
In equation 18, the underline indicates that access to the location is prevented; for example,
L8 means access to L8 is prevented. In Boolean algebra terms, L8 is the complement (nonoccurrence or NOT) of L8. For the example facility, there are six candidate vital area sets as shown
in equation 18. This result can also be derived algebraically by forming the complement of the
sabotage location equation and simplifying using the rules of Boolean algebra. The protection of
any one of the candidate vital area sets will ensure that a saboteur cannot cause URCs. If, for
example, we select the set L2 and L3 as the final vital area set, these are the only two areas of the
plant that would be protected as vital areas. Protecting these two areas will ensure that none of the
possible sabotage scenarios can be completed.
Fault trees can be used to efficiently represent the sabotage logic for more complicated
facilities. Figure A-1 provides a fault tree for the example facility that will be solved to further
illustrate the process of identifying candidate vital area sets. The top event in this tree is release in
excess of URC limits (represented by the symbol URC). The logic gates show the ways the events
in the tree combine to cause the top event, and the tree is developed down to the level of component
failures. Figure 2.1 shows the fault tree with all terminal events replaced with the locations from
which the events can be caused. This sabotage location fault tree is solved using the Boolean
26
algebra concepts applied in equations (1) through (17) to produce the same results. The expression
in parenthesis beside each gate is the solution for the gate in terms of the terminal events in the
tree. One way to generate the level 1 protection sets for a fault tree is to form and solve the dual
for the tree. The dual of a fault tree is formed by changing each OR gate in the tree to an AND
gate, each AND gate to an OR gate, and each event to the complement (NOT) of the event. There
are a variety of software packages available for solving fault trees and generating the prevention
sets (candidate vital area sets) needed in the VAI process.
In summary, the sabotage logic model for a facility can be developed in a number of
equivalent forms. The solution of the logic model produces candidate vital area sets that can be
protected to prevent sabotage. Any one of the candidate sets will contain a minimum set of
equipment needed to ensure that no sabotage scenarios can be completed.
27
28
29